HBASE-27673 Fix mTLS client hostname verification (apache#5065)

Signed-off-by: Peter Somogyi <psomogyi@apache.org> Signed-off-by: Bryan Beaudreault <bbeaudreault@apache.org> (cherry picked from commit 43aa9b3) Change-Id: I40f704e12d2c675eb28270639ec2a3a631e456c3
vinayakphegde · Feb 28, 2023 · 86e3dd7 · 86e3dd7
1 parent 4458889
commit 86e3dd7
Showing 1 changed file with 28 additions and 1 deletion.
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java
@@ -19,10 +19,12 @@
 
 import static org.apache.hadoop.hbase.io.crypto.tls.X509Util.HBASE_SERVER_NETTY_TLS_ENABLED;
 import static org.apache.hadoop.hbase.io.crypto.tls.X509Util.HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT;
+import static org.apache.hadoop.hbase.io.crypto.tls.X509Util.TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED;
 
 import java.io.IOException;
 import java.io.InterruptedIOException;
 import java.net.InetSocketAddress;
+import java.net.SocketAddress;
 import java.util.List;
 import java.util.concurrent.CountDownLatch;
 import org.apache.hadoop.conf.Configuration;
@@ -60,6 +62,7 @@
 import org.apache.hbase.thirdparty.io.netty.util.concurrent.DefaultThreadFactory;
 import org.apache.hbase.thirdparty.io.netty.handler.ssl.OptionalSslHandler;
 import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContext;
+import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler;
 import org.apache.hbase.thirdparty.io.netty.util.concurrent.GlobalEventExecutor;
 
 /**
@@ -218,7 +221,31 @@ private void initSSL(ChannelPipeline p, boolean supportPlaintext)
       p.addLast("ssl", new OptionalSslHandler(nettySslContext));
       LOG.debug("Dual mode SSL handler added for channel: {}", p.channel());
     } else {
-      p.addLast("ssl", nettySslContext.newHandler(p.channel().alloc()));
+      SocketAddress remoteAddress = p.channel().remoteAddress();
+      SslHandler sslHandler;
+
+      if (remoteAddress instanceof InetSocketAddress) {
+        InetSocketAddress remoteInetAddress = (InetSocketAddress) remoteAddress;
+        String host;
+
+        if (conf.getBoolean(TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED, true)) {
+          host = remoteInetAddress.getHostName();
+        } else {
+          host = remoteInetAddress.getHostString();
+        }
+
+        int port = remoteInetAddress.getPort();
+
+        /*
+         * our HostnameVerifier gets the host name from SSLEngine, so we have to construct the
+         * engine properly by passing the remote address
+         */
+        sslHandler = nettySslContext.newHandler(p.channel().alloc(), host, port);
+      } else {
+        sslHandler = nettySslContext.newHandler(p.channel().alloc());
+      }
+
+      p.addLast("ssl", sslHandler);
       LOG.debug("SSL handler added for channel: {}", p.channel());
     }
   }